Vulnerabilities > CVE-2008-4989 - Improper Certificate Validation vulnerability in multiple products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Creating a Rogue Certificate Authority Certificate An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2008-9530.NASL description - Tue Nov 11 2008 Tomas Mraz <tmraz at redhat.com> 2.0.4-4 - fix chain verification issue CVE-2008-4989 (#470079) - Tue May 20 2008 Tomas Mraz <tmraz at redhat.com> 2.0.4-3 - fix three security issues in gnutls handshake - GNUTLS-SA-2008-1 (#447461, #447462, #447463) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 34748 published 2008-11-12 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34748 title Fedora 9 : gnutls-2.0.4-4.fc9 (2008-9530) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2008-9530. # include("compat.inc"); if (description) { script_id(34748); script_version ("1.13"); script_cvs_date("Date: 2019/08/02 13:32:28"); script_cve_id("CVE-2008-4989"); script_xref(name:"FEDORA", value:"2008-9530"); script_name(english:"Fedora 9 : gnutls-2.0.4-4.fc9 (2008-9530)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Tue Nov 11 2008 Tomas Mraz <tmraz at redhat.com> 2.0.4-4 - fix chain verification issue CVE-2008-4989 (#470079) - Tue May 20 2008 Tomas Mraz <tmraz at redhat.com> 2.0.4-3 - fix three security issues in gnutls handshake - GNUTLS-SA-2008-1 (#447461, #447462, #447463) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=470079" ); # https://lists.fedoraproject.org/pipermail/package-announce/2008-November/016089.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?bf5816b1" ); script_set_attribute( attribute:"solution", value:"Update the affected gnutls package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_cwe_id(255); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:gnutls"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:9"); script_set_attribute(attribute:"patch_publication_date", value:"2008/11/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/11/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 9.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC9", reference:"gnutls-2.0.4-4.fc9")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gnutls"); }
NASL family Solaris Local Security Checks NASL id SOLARIS10_123938-04.NASL description GNOME 2.6.0: GNU Transport Layer Security Library Patch. Date this patch was last updated by Sun : Nov/15/14 last seen 2020-06-01 modified 2020-06-02 plugin id 107398 published 2018-03-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107398 title Solaris 10 (sparc) : 123938-04 NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_123939-02.NASL description GNOME 2.6.0_x86: GNU Transport Layer Security Library Patch. Date this patch was last updated by Sun : Jun/04/09 last seen 2020-06-01 modified 2020-06-02 plugin id 107899 published 2018-03-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107899 title Solaris 10 (x86) : 123939-02 NASL family Fedora Local Security Checks NASL id FEDORA_2008-10000.NASL description This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select subnodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library. Update Information: Fixes a couple of security issues when overflowing text data size of buffer size. last seen 2016-09-26 modified 2012-10-01 plugin id 37490 published 2009-04-23 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=37490 title Fedora 10 2008-10000 NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_123939-05.NASL description GNOME 2.6.0_x86: GNU Transport Layer Security Library Patch. Date this patch was last updated by Sun : Oct/17/16 last seen 2020-06-01 modified 2020-06-02 plugin id 107902 published 2018-03-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107902 title Solaris 10 (x86) : 123939-05 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0982.NASL description Updated gnutls packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). Martin von Gagern discovered a flaw in the way GnuTLS verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications using the GnuTLS library to trust invalid certificates. (CVE-2008-4989) Users of GnuTLS are advised to upgrade to these updated packages, which contain a backported patch that corrects this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 34752 published 2008-11-12 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/34752 title RHEL 5 : gnutls (RHSA-2008:0982) NASL family Fedora Local Security Checks NASL id FEDORA_2008-9600.NASL description - Tue Nov 11 2008 Tomas Mraz <tmraz at redhat.com> 1.6.3-5 - fix chain verification issue CVE-2008-4989 (#470079) - Fri Jun 20 2008 Tomas Mraz <tmraz at redhat.com> 1.6.3-4 - backported fix for compression support (#451952) - Tue May 20 2008 Tomas Mraz <tmraz at redhat.com> 1.6.3-3 - fix three security issues in gnutls handshake - GNUTLS-SA-2008-1 (#447461, #447462, #447463) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 34750 published 2008-11-12 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34750 title Fedora 8 : gnutls-1.6.3-5.fc8 (2008-9600) NASL family SuSE Local Security Checks NASL id SUSE_GNUTLS-5851.NASL description gnutls did not properly verify x509 certificate chains. An attacker could exploit that to trick client programs into trusting servers that would normally get rejected. (CVE-2008-4989) last seen 2020-06-01 modified 2020-06-02 plugin id 41515 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41515 title SuSE 10 Security Update : GnuTLS (ZYPP Patch Number 5851) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-227.NASL description Martin von Gagern found a flow in how GnuTLS versions 1.2.4 up until 2.6.1 verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications that used the GnuTLS library to trust invalid certificates (CVE-2008-4989). Update : It was found that the previously-published patch to correct this issue caused a regression when dealing with self-signed certificates. An updated patch that fixes the security issue and resolves the regression issue has been applied to these packages. last seen 2020-06-01 modified 2020-06-02 plugin id 36960 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36960 title Mandriva Linux Security Advisory : gnutls (MDVSA-2008:227-1) NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_123939-03.NASL description GNOME 2.6.0_x86: GNU Transport Layer Security Library Patch. Date this patch was last updated by Sun : Sep/13/14 last seen 2020-06-01 modified 2020-06-02 plugin id 107900 published 2018-03-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107900 title Solaris 10 (x86) : 123939-03 NASL family SuSE Local Security Checks NASL id SUSE_GNUTLS-5844.NASL description gnutls did not properly verify x509 certificate chains. An attacker could exploit that to trick client programs into trusting servers that would normally get rejected (CVE-2008-4989). last seen 2020-06-01 modified 2020-06-02 plugin id 35080 published 2008-12-10 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35080 title openSUSE 10 Security Update : gnutls (gnutls-5844) NASL family SuSE Local Security Checks NASL id SUSE_GNUTLS-6079.NASL description The previous security fix for gnutls (CVE-2008-4989) introduced a regression in the X.509 validation code for self-signed certificates. This update fixes this problem. last seen 2020-06-01 modified 2020-06-02 plugin id 36201 published 2009-04-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36201 title openSUSE 10 Security Update : gnutls (gnutls-6079) NASL family SuSE Local Security Checks NASL id SUSE_11_0_GNUTLS-081204.NASL description gnutls did not properly verify x509 certificate chains. An attacker could exploit that to trick client programs into trusting servers that would normally get rejected (CVE-2008-4989). last seen 2020-06-01 modified 2020-06-02 plugin id 39972 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39972 title openSUSE Security Update : gnutls (gnutls-358) NASL family Scientific Linux Local Security Checks NASL id SL_20081111_GNUTLS_ON_SL5_X.NASL description Martin von Gagern discovered a flaw in the way GnuTLS verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications using the GnuTLS library to trust invalid certificates. (CVE-2008-4989) last seen 2020-06-01 modified 2020-06-02 plugin id 60492 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60492 title Scientific Linux Security Update : gnutls on SL5.x i386/x86_64 NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_123939-04.NASL description GNOME 2.6.0_x86: GNU Transport Layer Security Library Patch. Date this patch was last updated by Sun : Nov/15/14 last seen 2020-06-01 modified 2020-06-02 plugin id 107901 published 2018-03-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107901 title Solaris 10 (x86) : 123939-04 NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0982.NASL description From Red Hat Security Advisory 2008:0982 : Updated gnutls packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). Martin von Gagern discovered a flaw in the way GnuTLS verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications using the GnuTLS library to trust invalid certificates. (CVE-2008-4989) Users of GnuTLS are advised to upgrade to these updated packages, which contain a backported patch that corrects this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 67768 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67768 title Oracle Linux 5 : gnutls (ELSA-2008-0982) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2008-315-01.NASL description New gnutls packages are available for Slackware 12.0, 12.1, and -current to fix a security issue. NOTE: The package for 12.0 has a different shared library soname, and the packages for 12.1 and -current have an API/ABI change. Only the Pidgin package in Slackware links with GnuTLS, and upgraded Pidgin packages have also been made available. However, if the updated GnuTLS package is installed any other custom-compiled software that uses GnuTLS may need to be recompiled. last seen 2020-06-01 modified 2020-06-02 plugin id 34731 published 2008-11-11 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34731 title Slackware 12.0 / 12.1 / current : gnutls (SSA:2008-315-01) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0982.NASL description Updated gnutls packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). Martin von Gagern discovered a flaw in the way GnuTLS verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications using the GnuTLS library to trust invalid certificates. (CVE-2008-4989) Users of GnuTLS are advised to upgrade to these updated packages, which contain a backported patch that corrects this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 43716 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43716 title CentOS 5 : gnutls (CESA-2008:0982) NASL family Solaris Local Security Checks NASL id SOLARIS10_123938-02.NASL description GNOME 2.6.0: GNU Transport Layer Security Library Patch. Date this patch was last updated by Sun : Jun/04/09 last seen 2020-06-01 modified 2020-06-02 plugin id 107396 published 2018-03-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107396 title Solaris 10 (sparc) : 123938-02 NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-678-2.NASL description USN-678-1 fixed a vulnerability in GnuTLS. The upstream patch introduced a regression when validating certain certificate chains that would report valid certificates as untrusted. This update fixes the problem. We apologize for the inconvenience. Martin von Gagern discovered that GnuTLS did not properly verify certificate chains when the last certificate in the chain was self-signed. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. (CVE-2008-4989). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37045 published 2009-04-23 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37045 title Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : gnutls12, gnutls13, gnutls26 regression (USN-678-2) NASL family SuSE Local Security Checks NASL id SUSE_GNUTLS-6073.NASL description The previous security fix for gnutls (CVE-2008-4989) introduced a regression in the X.509 validation code for self-signed certificates. This update fixes this problem. last seen 2020-06-01 modified 2020-06-02 plugin id 41516 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41516 title SuSE 10 Security Update : GnuTLS (ZYPP Patch Number 6073) NASL family Solaris Local Security Checks NASL id SOLARIS10_123938.NASL description GNOME 2.6.0: GNU Transport Layer Security Library Patch. Date this patch was last updated by Sun : Oct/17/16 This plugin has been deprecated and either replaced with individual 123938 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 24374 published 2007-02-18 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=24374 title Solaris 10 (sparc) : 123938-05 (deprecated) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-809-1.NASL description Moxie Marlinspike and Dan Kaminsky independently discovered that GnuTLS did not properly handle certificates with NULL characters in the certificate name. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2009-2730) Dan Kaminsky discovered GnuTLS would still accept certificates with MD2 hash signatures. As a result, an attacker could potentially create a malicious trusted certificate to impersonate another site. This issue only affected Ubuntu 6.06 LTS and Ubuntu 8.10. (CVE-2009-2409) USN-678-1 fixed a vulnerability and USN-678-2 a regression in GnuTLS. The upstream patches introduced a regression when validating certain certificate chains that would report valid certificates as untrusted. This update fixes the problem, and only affected Ubuntu 6.06 LTS and Ubuntu 8.10 (Ubuntu 8.04 LTS and 9.04 were fixed at an earlier date). In an effort to maintain a strong security stance and address all known regressions, this update deprecates X.509 validation chains using MD2 and MD5 signatures. To accomodate sites which must still use a deprected RSA-MD5 certificate, GnuTLS has been updated to stop looking when it has found a trusted intermediary certificate. This new handling of intermediary certificates is in accordance with other SSL implementations. Martin von Gagern discovered that GnuTLS did not properly verify certificate chains when the last certificate in the chain was self-signed. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. (CVE-2008-4989). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 40656 published 2009-08-20 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40656 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : gnutls12, gnutls13, gnutls26 vulnerabilities (USN-809-1) NASL family SuSE Local Security Checks NASL id SUSE_11_1_GNUTLS-090313.NASL description The previous security fix for gnutls (CVE-2008-4989) introduced a regression in the X.509 validation code for self-signed certificates. This update fixes this problem. last seen 2020-06-01 modified 2020-06-02 plugin id 40224 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40224 title openSUSE Security Update : gnutls (gnutls-605) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200901-10.NASL description The remote host is affected by the vulnerability described in GLSA-200901-10 (GnuTLS: Certificate validation error) Martin von Gagern reported that the _gnutls_x509_verify_certificate() function in lib/x509/verify.c trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate. Impact : A remote attacker could exploit this vulnerability and spoof arbitrary names to conduct Man-In-The-Middle attacks and intercept sensitive information. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 35379 published 2009-01-15 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35379 title GLSA-200901-10 : GnuTLS: Certificate validation error NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_45298931B3BF11DD80F8001CC0377035.NASL description SecurityFocus reports : GnuTLS is prone to a security-bypass vulnerability because the application fails to properly validate chained X.509 certificates. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks by impersonating trusted servers. Unsuspecting users may be under a false sense of security that can aid attackers in launching further attacks. last seen 2020-06-01 modified 2020-06-02 plugin id 34786 published 2008-11-17 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/34786 title FreeBSD : gnutls -- X.509 certificate chain validation vulnerability (45298931-b3bf-11dd-80f8-001cc0377035) NASL family Solaris Local Security Checks NASL id SOLARIS10_123938-03.NASL description GNOME 2.6.0: GNU Transport Layer Security Library Patch. Date this patch was last updated by Sun : Sep/13/14 last seen 2020-06-01 modified 2020-06-02 plugin id 107397 published 2018-03-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107397 title Solaris 10 (sparc) : 123938-03 NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_123939.NASL description GNOME 2.6.0_x86: GNU Transport Layer Security Library Patch. Date this patch was last updated by Sun : Oct/17/16 This plugin has been deprecated and either replaced with individual 123939 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 24386 published 2007-02-18 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=24386 title Solaris 10 (x86) : 123939-05 (deprecated) NASL family SuSE Local Security Checks NASL id SUSE_11_0_GNUTLS-090313.NASL description The previous security fix for gnutls (CVE-2008-4989) introduced a regression in the X.509 validation code for self-signed certificates. This update fixes this problem. last seen 2020-06-01 modified 2020-06-02 plugin id 39973 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39973 title openSUSE Security Update : gnutls (gnutls-605) NASL family SuSE Local Security Checks NASL id SUSE_11_GNUTLS-090317.NASL description The previous security fix for gnutls (CVE-2008-4989) introduced a regression in the X.509 validation code for self-signed certificates. This update fixes this problem. last seen 2020-06-01 modified 2020-06-02 plugin id 41398 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41398 title SuSE 11 Security Update : GnuTLS (SAT Patch Number 632) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1719.NASL description Martin von Gagern discovered that GNUTLS, an implementation of the TLS/SSL protocol, handles verification of X.509 certificate chains incorrectly if a self-signed certificate is configured as a trusted certificate. This could cause clients to accept forged server certificates as genuine. (CVE-2008-4989 ) In addition, this update tightens the checks for X.509v1 certificates which causes GNUTLS to reject certain certificate chains it accepted before. (In certificate chain processing, GNUTLS does not recognize X.509v1 certificates as valid unless explicitly requested by the application.) last seen 2020-06-01 modified 2020-06-02 plugin id 35637 published 2009-02-12 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35637 title Debian DSA-1719-1 : gnutls13 - design flaw NASL family Fedora Local Security Checks NASL id FEDORA_2008-10162.NASL description - Tue Nov 11 2008 Tomas Mraz <tmraz at redhat.com> 2.4.2-3 - fix chain verification issue CVE-2008-4989 (#470079) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 62276 published 2012-09-24 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62276 title Fedora 10 : gnutls-2.4.2-3.fc10 (2008-10162) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-678-1.NASL description Martin von Gagern discovered that GnuTLS did not properly verify certificate chains when the last certificate in the chain was self-signed. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. (CVE-2008-4989). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37965 published 2009-04-23 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37965 title Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : gnutls12, gnutls13, gnutls26 vulnerability (USN-678-1) NASL family Solaris Local Security Checks NASL id SOLARIS10_123938-05.NASL description GNOME 2.6.0: GNU Transport Layer Security Library Patch. Date this patch was last updated by Sun : Oct/17/16 last seen 2020-06-01 modified 2020-06-02 plugin id 107399 published 2018-03-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107399 title Solaris 10 (sparc) : 123938-05
Oval
accepted | 2013-04-29T04:15:11.466-04:00 | ||||||||||||
class | vulnerability | ||||||||||||
contributors |
| ||||||||||||
definition_extensions |
| ||||||||||||
description | The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN). | ||||||||||||
family | unix | ||||||||||||
id | oval:org.mitre.oval:def:11650 | ||||||||||||
status | accepted | ||||||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
title | The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN). | ||||||||||||
version | 19 |
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 32232 CVE(CAN) ID: CVE-2008-4989 GnuTLS是用于实现TLS加密协议的函数库。 GNU TLS库的X.509证书链验证中存在错误,允许中间人用户使用任意名称并诱骗GNU TLS客户端信任该名称。 漏洞具体存在于x509/verify.c文件的_gnutls_x509_verify_certificate函数中: 1. 用可信任证书列表验证证书列表的最后一个单元。 2. 如果是自签名的话,从列表中删除最后一个单元。 3. 检查证书链确保每个证书都由后一个签名,除了最后一个单元。 如果向列表中添加任意的自签名可信任证书,就不会检查可信任证书列表便信任倒数第二个单元。 0 GNU GnuTLS < 2.6.1 GNU --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://ftp.gnu.org/pub/gnu/gnutls/gnutls-2.6.1.tar.bz2 target=_blank>http://ftp.gnu.org/pub/gnu/gnutls/gnutls-2.6.1.tar.bz2</a> |
id | SSV:4429 |
last seen | 2017-11-19 |
modified | 2008-11-12 |
published | 2008-11-12 |
reporter | Root |
title | GnuTLS X.509证书链验证漏洞 |
References
- http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215
- http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215
- http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217
- http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217
- http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html
- http://secunia.com/advisories/32619
- http://secunia.com/advisories/32619
- http://secunia.com/advisories/32681
- http://secunia.com/advisories/32681
- http://secunia.com/advisories/32687
- http://secunia.com/advisories/32687
- http://secunia.com/advisories/32879
- http://secunia.com/advisories/32879
- http://secunia.com/advisories/33501
- http://secunia.com/advisories/33501
- http://secunia.com/advisories/33694
- http://secunia.com/advisories/33694
- http://secunia.com/advisories/35423
- http://secunia.com/advisories/35423
- http://security.gentoo.org/glsa/glsa-200901-10.xml
- http://security.gentoo.org/glsa/glsa-200901-10.xml
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-260528-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-260528-1
- http://wiki.rpath.com/Advisories:rPSA-2008-0322
- http://wiki.rpath.com/Advisories:rPSA-2008-0322
- http://www.debian.org/security/2009/dsa-1719
- http://www.debian.org/security/2009/dsa-1719
- http://www.gnu.org/software/gnutls/security.html
- http://www.gnu.org/software/gnutls/security.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:227
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:227
- http://www.redhat.com/support/errata/RHSA-2008-0982.html
- http://www.redhat.com/support/errata/RHSA-2008-0982.html
- http://www.securityfocus.com/archive/1/498431/100/0/threaded
- http://www.securityfocus.com/archive/1/498431/100/0/threaded
- http://www.securityfocus.com/bid/32232
- http://www.securityfocus.com/bid/32232
- http://www.securitytracker.com/id?1021167
- http://www.securitytracker.com/id?1021167
- http://www.ubuntu.com/usn/usn-678-2
- http://www.ubuntu.com/usn/usn-678-2
- http://www.vupen.com/english/advisories/2008/3086
- http://www.vupen.com/english/advisories/2008/3086
- http://www.vupen.com/english/advisories/2009/1567
- http://www.vupen.com/english/advisories/2009/1567
- https://exchange.xforce.ibmcloud.com/vulnerabilities/46482
- https://exchange.xforce.ibmcloud.com/vulnerabilities/46482
- https://issues.rpath.com/browse/RPL-2886
- https://issues.rpath.com/browse/RPL-2886
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11650
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11650
- https://usn.ubuntu.com/678-1/
- https://usn.ubuntu.com/678-1/
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00222.html
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00222.html
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00293.html
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00293.html